b"      AUDIT OF\nE-APPLICATION SYSTEM\n\n\n      Report Number: 7-31 \n\n Date Issued: September 27, 2007 \n\n\x0c             U.S. Small Business Administration\n                                                             Memorandum\n             Office of Inspector General\n\n\n     To: \t   Calvin Jenkins                                                        Date:   September 27, 2007\n             Deputy Administrator for Government Contracting\n             and Business Development\n\n  From: \t    Debra S. Ritt \n\n             Assistant Inspector General for Auditing \n\n             lSI original signed \n\nSubject: \t   Audit of E-Application System\n             Report 7-31\n\n             This report presents the results of our audit of the Small Business Administration's\n             (SBA) E-Application system, an internet-based system that processes applications\n             for the 8(a) and Small Disadvantaged Business (SDB) certification programs. The\n             system, which was implemented in September 2004, is licensed to SBA and\n             operated by the contractor, and interfaces with SBA's Electronic 8(a) Review\n             System. I The goal of the E-Application system is to reduce the application\n             processing time by allowing applicants to receive and submit 8(a) and SDB\n             applications electronically, and by providing 8(a) program personnel with a tool to\n             quickly evaluate and approve applications and identify those applications which\n             require further review.\n\n             The OIG conducted an audit of the E-Application system to determine whether:.\n             (1) data stored in E-Application complies with applicable laws, rules and\n             regulations governing security of government data and Personally Identifiable\n             Information (PU); and (2) controls over data transfer between E-Application and\n             SBA's Electronic 8(a) Review system are sufficient to ensure the complete and\n             accurate transfer of information.\n\n             To accomplish our audit objectives, we reviewed documentation and the vendor\n             contract, interviewed program personnel, and analyzed data files. We evaluated\n\n             I   SBA's Electronic 8(a) Review System temporarily replaced SBA's Servicing and Contracting\n                 SystemlMinority Enterprise Development Central Office Repository (SACSIMEDCOR). Thjs temporary\n                 system will be permanently replaced by a new Business Development Management Information System,\n                 which is under development.\n\n\n                                                           2\n\n\x0cthe extent to which E-Application was in compliance with security requirements\nspecified by the Federal Information Security Management Act (FISMA);2\nFederal Information Processing Standards (FIPS) Publication 200, Minimum\nSecurity Requirements for Federal Information and Information Systems; and\nSpecial Publication 800-53, Recommended Security Controls for Federal\nInformation Systems, issued by the National Institute of Standards and Technology\n(NIST). We conducted the audit between April and June 2007 in accordance with\nGovernment Auditing Standards as prescribed by the Comptroller General of the\nUnited States.\n\nRESULTS\nOur review determined that the system's security safeguards over sensitive\ngovernment data were inadequate and did not meet FISMA, FIPS or NIST\nrequirements. For example, SBA had not developed or implemented standard\nsecurity operating procedures for E-Application. Additionally, the contractor that\noperates the system lacked data backup and recovery capability, leaving SBA data\nvulnerable to loss or misuse.\n\nSystem controls were also insufficient to ensure the complete and accurate transfer\nof information from E-Application to SBA's Electronic 8(a) Review System. For\nexample, existing system interfaces did not have sufficient data validation and .\nverification controls to ensure the integrity of data transferred from E-Application\nto SBA's Electronic 8(a) Review System. These controls were not required in the\ncontract to build the E-Application system. As a result, SBA lacks assurance that\ncomplete and accurate data is transferred from E-Application to its Electronic 8(a)\nReview System.\n\nE-applications Lacked Adequate Security Operating Procedures and\nBackup Capability\n\nFISMA and FIPS Publication 200 require formalized system security plans for .\nFederal information systems, including contractor hosted systems. However,\nreviews performed by SBA since 2004 have identified significant unresolved\nsecurity vulnerabilities in the E-Application system. For example, an SBA review\nconducted after deployment of the E-Application system disclosed that the vendor\nhad not defined and implemented standard operating procedures to ensure security\nof the system. SBA reported this condition as a vulnerability and required the\nvendor to develop procedures to implement SBA's security policies by January 31,\n2005. As of the date of this audit, security procedures had not been developed or\nimplemented, and SBA has not held the contractor accountable.\n\n\n2   Public Law 107-347\n\n\n                                         2\n\n\x0cFurther, in 2006, the vendor moved the hosting site for E-Application from an\napproved service provider to an alternate site. After learning of the move, SBA\nperformed a site visit and identified the following unremediated data backup and\ndisaster recovery vulnerabilities, which placed E-Application data at risk of\nmisuse or loss:\n\n   \xe2\x80\xa2   No documented plan to bring the system up in the event of a disaster;\n\n   \xe2\x80\xa2   No contract agreement for a backup storage site; and\n\n   \xe2\x80\xa2   No contract agreement for an alternate data processing site.\n\nBased on these vulnerabilities, E-Application did not meet the security\nrequirements of FISMA, FIPS Publication 200, and NIST Special Publication 800\xc2\xad\n53. These standards require that Federal information systems have a continuity of\noperations plans and backup data storage and processing capabilities.\n\nE-Application Lacked Controls to Ensure the Integrity of Data\nTransferred\n\nOffice of Management and Budget Circular A-123, Management's Responsibility\nfor Internal Control, requires the establishment of controls to ensure that\ntransactions are properly authorized and processed accurately and that the data is\nvalid and complete. In addition, controls should be established at an application's\ninterfaces to verify inputs and outputs. Despite these requirements, system\ncontrols were not in place to continuously validate the completeness and integrity\nof data transferred between E-Application and SBA's Electronic 8(a) Review\nSystem. Further, we compared data in E-Application with information that had\nbeen transferred to SBA's Electronic 8(a) Review System and found that the two\nsystems did not always reconcile.\n\nSBA's contract with the E-Application vendor did not require that controls be\nimplemented to ensure the completeness and integrity of data transfers from E\xc2\xad\nApplication to SBA's Electronic 8(a) Review System. This requirement was not\nincorporated into the vendor contract because SBA originally intended to strictly\nuse E-Application as a data capture system for paperless 8(a) applications and did\nnot plan on transferring data in E-Application to other SBA systems. Without\nsuch controls, SBA has no assurance that data transferred from E-Application to\nSBA's Electronic 8(a) Review System is complete and accurate.\n\nTo address this issue, prior to our audit, SBA hired a contractor to perform a data\ncleansing of applicant data in E-Application and SBA databases and to establish\n\n\n\n                                         3\n\n\x0cprocedures to perform automated daily validation of new and modified data items.\nHowever, the contractor was unable to complete this task because of incomplete\nE-Application system documentation of data structures, and data mapping.\n\nWithout data validation and verification controls, SBA has reduced assurance that\ncomplete 8(a) applicant data is transferred from E-Application to its Electronic\n8(a) Review System.\n\nRECOMMENDATIONS\n\nWe recommend that the Deputy Administrator for Government Contracting and\nBusiness Development:\n\n1. \t Modify the existing contract with the vendor to require the development of\n     security procedures to implement SBA's security policies, a disaster recovery\n     plan, a backup data storage site, and an alternate data processing site.\n\n2. \t Establish appropriate controls to ensure data entered into E-Application is\n     accurately transferred to the Electronic 8(a) Review System.\n\n3. \t Validate the accuracy of data already transferred from E-Application to the\n     Electronic 8(a) Review System.\n\nAGENCY COMMENTS\n\nOn September 4, 2007, we provided SBA with a draft of the report for comment.\nOn September 26, 2007, SBA provided its formal response, which is contained in\nits entirety in Appendix 1. SBA agreed with our findings and recommendations\nand stated that it will migrate the E-Application system from the vendor site to\nOCIO premises within the next 60 to 90 days. This migration will place the E\xc2\xad\nApplication System in an environment that is compliant with security, data backup\nand disaster recovery requirements.\n\nSBA also stated that it will implement an enhanced version of E-Applications that\nincludes an annual review component and will retire the Electronic 8(a) Review\nSystem. This will obviate the need for data transfers.\n\nOFFICE OF INSPECTOR GENERAL RESPONSE\n\nWe believe the actions proposed by SBA on the OIG recommendations are\nresponsive. However, we believe the Agency should establish target dates for\ncompleting final action on recommendations 2 and 3.\n\n\n                                          4\n\n\x0cACTIONS REQUIRED\n\nBecause SBA provided no target dates for completing proposed actions for\nrecommendations 2 and 3 we are requesting that target dates be provided by\nOctober 29,2007.\n\nWe appreciate the courtesies and cooperation of the Small Business\nAdministration Government Contracting and Business Development\nrepresentatives during this audit. If you have any questions concerning this report,\nplease call me at (202) 205- [Exemption 2] or Jeffrey R. Brindle, the Program\nDirector, at (202) 205- [Exemption 2].\n\n\n\n\n                                         5\n\n\x0c                                                                                              Appendix I\n\n\n\n\n             U.S. Small Busl..... Administration\n                                                     Memorandum\n             Office of Inspector General\n\n\n     To: \t   Debra S. Ritt                                              Date:   September 26, 2007\n             Assistant Inspector General for Auditing\n\n  From: \t    Calvin Jenkins    [Ex emption 6] \n\n             Deputy, General C15ntTacting ~ \n\n             Business Development \n\n\nSubject: \t   Response to Audit ofE-applications System\n             Project No. 7019\n\n             The results of the subject audit pertain to the current system, which is hosted in an\n             ofT-site facility by the vendor who originally developed the system. These results\n             paint a picture of a system that displays serious deficiencies in terms of system\n             security, data security, recovery and contingency planning and execution. We do\n             not contest your assessment of these deficiencies. However, they will be rendered\n             moot by our plan to migrate the system to the OCIO premises in the next sixty to\n             ninety days.\n\n             At that time, oeIO will take over operation of the system, and will assume\n             responsibility for all aspects of system and data security, as well as recovery and\n             contingency planning and execution. Once migrated in-house, the system will be\n             subject to all OCIO-approved standards and procedures for the above (and all)\n             aspects of system operation. The vendor will enjoy absolutely NO access to the\n             production system after this migration. The vendor will convey program updates\n             to the system via email to OeIO. The latter will then apply the updates to the\n             production system, only after subjecting the new code in a separate staging\n             environment to OeIO-approved rigorous testing and QA procedures.\n\n             The audit also mentions that the data transfer between the E-Applications system\n             and the Electronic 8(a) Review system suffers from the absence of adequate\n             continuous data verification and validation controls that would otherwise ensure\n\x0c                                                                             Appendix I\n\n\n\n\nthe accuracy, completeness and integrity of the transfer. This exposure will also\ndisappear with the execution of our plan, as it calls for the full development,\ntesting and implementation of the embryonic Annual Review functionality\ncurrently dormant in the 8a SDB application, and the concomitant retirement of\nthe separate Oracle-based Electronic 8 (a) Review system. Correspondingly, when\nthe latter system is retired, the need for the data transfer will also disappear.\n\nThank you for the thorough and meticulous effort that your analysis reflects. It\nhas helped us identity and address key areas where the E-Applications system can\nbe dramatically improved. We look forward to working with you to ensure that\nthe system meets all applicable security standards in the future.\n\n\n\n\n                                       2\n\x0c"